Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug →

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that's affected a dozen carmakers.

This team of researchers has found many car-related bugs before. The vulnerability writeup is here.

Announcing Zero Trust DNS Private Preview →

With today's technology, IT administrators must either route DNS traffic in the clear in order to detect and block malicious domains but trust malicious DNS servers or authenticate DNS servers, encrypt DNS traffic, and lose network monitoring. As Ars Technica describes, Windows aims to enable the best of both worlds:

[Zero-Trust DNS] aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform—the core component of the Windows Firewall—directly into client devices. [...] Jake Williams, VP of research and development at consultancy Hunter Strategy, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis. The result, he said, is a mechanism that allows organizations to, in essence, tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”

From Microsoft's announcement:

First, Windows is provisioned with a set of DoH or DoT capable Protective DNS servers; these are expected to only resolve allowed domain names. This provisioning may also contain a list of IP address subnets that should always be allowed (for endpoints without domain names), expected Protective DNS server certificate identities to properly validate the connection is to the expected server, or certificates to be used for client authentication.

Next, Windows will block all outbound IPv4 and IPv6 traffic except for the connections to the Protective DNS servers as well as the DHCP, DHCPv6, and NDP traffic needed to discover network connectivity information. Note that many options from these protocols will be ignored, such as RDNSS, as only the configured Protective DNS servers will be used.

Going forward, DNS responses from one of the Protective DNS servers that contain IP address resolutions will trigger outbound allow exceptions for those IP addresses. This ensures that applications and services that use the system DNS configuration will be allowed to connect to the resolved IP addresses.

Traffic is forbidden by default, allowed to IPs resolved only by your trusted DNS servers, and end-to-end encrypted without TLS termination.

Security Principles Stand the Test of Time →

Today, if I had to secure some new infrastructure paradigm I've never worked with, I would approach it by asking a series of questions based on those core security principles and suggest changes based on the answers. I can ask the same set of questions no matter what infrastructure paradigm is used because they are so foundational to securing any infrastructure.

Novel attack against virtually all VPN apps neuters their entire purpose →

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

Examining the Deception Infrastructure in Place Behind code.microsoft.com →

The domain name code.microsoft.com has an interesting story behind it. Today it’s not linked to anything but that wasn’t always true. This is the story of one of my most successful honeypot instances and how it enabled Microsoft to collect varied threat intelligence against a broad range of actor groups targeting Microsoft.

Product security: barking up the wrong tree →

In a company of 10,000, stuff like that happens with clockwork regularity; your security team is pitted against the sum of human ingenuity. You work to lower the base rate of security lapses, but even with the best tooling and education efforts, there’s that 1% or 5% you’re bound to miss. A breach is only a matter of time; your average CISO is losing sleep over this, not over buffer overflows.

The Battle for the World’s Most Powerful Cyberweapon →

A Times investigation reveals how Israel reaped diplomatic gains around the world from NSO’s Pegasus spyware — a tool America itself purchased but is now trying to ban.

Offense will win some battles, but cyber defense will win the war →

Changing the calculus on defense remains the most important way to prevent attacks, even if it is not as attention-grabbing as offensive efforts.

Thanksgiving 2023 security incident →

Even though we believed, and later confirmed, the attacker had limited access, we undertook a comprehensive effort to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, performed forensic triages on 4,893 systems, reimaged and rebooted every machine in our global network including all the systems the threat actor accessed and all Atlassian products (Jira, Confluence, and Bitbucket).

This should be considered the gold standard for the response to and write-up on a security incident.

Russian hackers were inside Ukraine telecoms giant for months →

The attack wiped "almost everything", including thousands of virtual servers and PCs, [Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department] said, describing it as probably the first example of a destructive cyberattack that "completely destroyed the core of a telecoms operator."

Kyivstar and the SBU believe the Russian military intelligence cyberwarfare unit known as Sandworm lingered in Kyivstar’s network since May 2023.

Biden admin’s cloud security problem: ‘It could take down the internet like a stack of dominos’ →

The Biden administration is embarking on the nation’s first comprehensive plan to regulate the security practices of cloud providers.

Automatic disruption of human-operated attacks through containment of compromised user accounts →

Identifying and containing [...] compromised user accounts, therefore, prevents attacks from progressing, even if attackers gain initial access. This is why, as announced today, we added user containment to the automatic attack disruption capability in Microsoft Defender for Endpoint, a unique and innovative defense mechanism that stops human-operated attacks in their tracks. User containment prevents a compromised user account from accessing endpoints and other resources in the network, limiting attackers’ ability to move laterally regardless of the account’s Active Directory state or privilege level. It is automatically triggered by high-fidelity signals indicating that a compromised user account is being used in an ongoing attack. With user containment, even compromised domain admin accounts cannot help attackers access other devices in the network.

Dotnet’s default AES mode is vulnerable to padding oracle attacks →

Padding oracles are fairly well known, and padding oracle attacks against AES-CBC with PKCS7 are exceptionally well known. With that, some may find it surprising that dotnet’s (yes, even the new shiny dotnetcore) default behavior is to use CBC mode.

FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown →

On August 29, the FBI and the Justice Department announced a multinational operation to disrupt and dismantle the malware and botnet known as Qakbot.

An added bonus? $8.6 million in cryptocurrency.

More of this, please.

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More →

The following writeup details our work exploring the security of telematic systems, automotive APIs, and the infrastructure that supports it.

And it's not great...

Pre-hijacking Attacks on Web User Accounts →

Similarly to classic account hijacking attacks, the attacker's goal is to gain access to the victim's account. However, if the attacker can create an account at a target service using the victim's email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state. After the victim has recovered access and started using the account, the attacker could regain access and takeover the account.

How one of Vladimir Putin's most prized hacking units got pwned by the FBI →

FBI officials on Tuesday dropped a major bombshell: After spending years monitoring exceptionally stealthy malware that one of the Kremlin's most advanced hacker units had installed on hundreds of computers around the world, agents unloaded a payload that caused the malware to disable itself.

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks →

In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization's network, moved laterally across the organization's multiple geographically separated sites, and eventually gained access to systems adjacent to the organization's sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.

Wow. Very impressed by the transparency shown in this report by the CISA red team. More of this, please.

Department of Homeland Security Can't Even Secure Its Buildings Against People It Fired →

For the fourth time since 2007, an internal audit shows the Department of Homeland Security isn't deactivating access cards in the hands of ex-employees, leaving its secure facilities vulnerable to intruders.

On Detection: Tactical to Functional →

I've really been enjoying this series from SpecterOps walking up the stack from Windows functions to tactics to attack graphs.

Subversive Trilemma: Why Cyber Operations Fall Short of Expectations →

A cool academic paper on the constraints of cyber operations as a "subversive trilemma" where speed, intensity, and control are negatively correlated. The author argues that because of this, most cyber operations fall short of their strategic promise and provide, at best, limited strategic utility.

Company That Routes Billions of Text Messages Quietly Says It Was Hacked →

A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.

FBI document shows what data can be obtained from encrypted messaging apps →

A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.

What type of encryption you use and how you use it are pretty important.

I read the federal government's Zero-Trust Memo so you don't have to →

[...] The Office and Management and Budget (OMB) released a memo: "Moving the U.S. Government Towards Zero Trust Cybersecurity Principles". The memo is a reaction to 2020's SolarWinds incident and 2021's Colonial Pipeline rasomware attack, and advises the Federal Government on what steps each agency must take to improve its cybersecurity.

Many of the items in the memo go well-beyond even what the top enterprises and tech startups are doing today. It looks like the government is planning to position itself as a cybersecurity leader (rather than a laggard), while also pushing the private sector into a more robust cybersecurity posture.

Good recommendations all-around.

Future-proofing SaltStack →

This blogpost chronicles the recent CVEs investigation, our findings, and how we are helping secure Salt now and in the Quantum future.

Cool infrastructure security research from CloudFlare.

Russia to create its own security certificate authority, alarming experts →

Security experts are alarmed by the development because Russian government control over security certificates — which one technologist described as a "master key" to all online content in Russia — could dramatically enhance the Vladimir Putin regime's ability to censor and manipulate online content. TLS security certificates are a fundamental internet security protocol used to secure web browsing, email, instant messaging and much more.

Amazon's Dark Secret: It Has Failed to Protect Your Data →

Some pretty harrowing stories from Wired about Amazon's retail business's security and privacy culture.

'Trojan Source' Bug Threatens the Security of All Code – Krebs on Security →

Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. [...]

Specifically, the weakness involves Unicode's bi-directional or "Bidi" algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).

Bidi strikes again!

The Case of the Recursive Resolvers →

On September 30th 2021, Slack had an outage that impacted less than 1% of our online user base, and lasted for 24 hours. This outage was the result of our attempt to enable DNSSEC.

It's always DNS.

But a great writeup from the Slack team on what went wrong.

Fraudsters Cloned Company Director's Voice In $35 Million Bank Heist, Police Find →

AI voice cloning is used in a huge heist in the U.A.E., amidst warnings about cybercriminal use of the new technology.

What it was like inside Microsoft during the worst cyberattack in history →

Microsoft president Brad Smith describes Microsoft's efforts to detect and defend both itself and its customers during the Solarwinds attack earlier this year.

Microsoft in standoff with Amazon over big hire, names Charlie Bell to lead 'bold' new security group →

I'm thrilled to join Microsoft to take on one of the greatest challenges of our time, leading a newly formed engineering organization: Security, Compliance, Identity, and Management. As digital services have become an integral part of our lives, we're outstripping our ability to provide security and safety. It's constantly highlighted in the headlines we see every day: fraud, theft, ransomware attacks, public exposure of private data, and even attacks against physical infrastructure. This has been weighing on my mind and the best way I can think to describe it is "digital medievalism," where organizations and individuals each depend on the walls of their castles and the strength of their citizens against bad actors who can simply retreat to their own castle with the spoils of an attack. We all want a world where safety is an invariant, something that is always true, and we can constantly prove we have. We all want digital civilization. I believe Microsoft is the only company in a position to deliver this and I couldn't be more excited to work with this talented team to make the world safer for every person and organization on the planet.

Intel to Build Silicon for Fully Homomorphic Encryption →

Today's announcement between Intel, Microsoft, and DARPA, is a program designed around keeping information safe and encrypted, but still using that data to build better models or provide better statistical analysis without disclosing the actual data. It's called Fully Homomorphic Encryption, but it is so computationally intense that the concept is almost useless in practice. This program between the three companies is a driver to provide IP and silicon to accelerate the compute, enabling a more secure environment for collaborative data analysis.

Premiere security firm FireEye says it was breached by nation-state hackers →

Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce →

Well that doesn't look too good.

Company forced to change name that could be used to hack websites →

The original name of the company was ""><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD". By beginning the name with a quotation mark and chevron, any site which failed to properly handle the HTML code would have mistakenly thought the company name was blank, and then loaded and executed a script from the site XSS Hunter, which helps developers find cross-site scripting errors.

SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos →

The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS.

SRLabs didn't find an issue in the RCS standard itself, but rather how it is being implemented by different telecos. [...] "Everybody seems to get it wrong right now, but in different ways."

Shocked, shocked I say.

How a Hacker's Mom Broke Into a South Dakota Prison →

John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom.

The CIA secretly bought a company that sold encryption devices across the world. Then its spies sat back and listened. →

[…] Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company's devices so they could easily break the codes that countries used to send encrypted messages.

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.

Absolutely fascinating.

Inside Microsoft's plan to fix America's broken voting system →

ElectionGuard, a new project by Microsoft, [...] is an open code standard, that anyone can audit, freely use, and plug into, to create secure digital voting machines that remove many of the barriers of voting.

Don't miss the interview with Dr. Josh Benaloh on the homomorphic encryption and cryptography behind the project in addition to the pretty pictures of the actual machine design.

Inside the West's failed fight against China's 'Cloud Hopper' hackers →

The hacking campaign, known as "Cloud Hopper," was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.

Yet the campaign ensnared at least six more major technology firms, touching five of the world's 10 biggest tech service providers.

Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology.

How Chinese Spies Got the N.S.A.'s Hacking Tools, and Used Them for Attacks →

Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.

Everything you should know about certificates and PKI but are too afraid to ask →

This is way too much my life.

How spies can use your cellphone to find you – and eavesdrop on your calls and texts too →

"I don't think most Americans realize how insecure U.S. telephone networks are," Wyden said in a statement. "If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC and wireless companies do something about it. These aren't just hypotheticals."

I'm glad we have at least one tech-savvy Senator.

U.S. Soldiers Are Revealing Sensitive and Dangerous Information by Jogging →

In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity. Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.

Good opsec, y'all.

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core →

Fifteen months into a wide-ranging investigation by the agency's counterintelligence arm and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider's leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.

Mr. Snowden's cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code.

System Shock: How A Cloud Leak Exposed Accenture's Business →

A folder in the bucket titled "Secure Store" contains not only configuration files for the Identity API, but also a plaintext document containing the master access key for Accenture's account with Amazon Web Service's Key Management Service, exposing an unknown number of credentials to malicious use.

Yeah, no one ever thought twice before writing that one down, much less exposing it to the Internet?

Smart TV hack embeds attack code into broadcast signal—no access required →

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs.

U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts →

One of the defendants also exploited his access to Yahoo's network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.

Seriously, is there anything these hackers didn't have access to inside Yahoo?

Security and the Internet of Things →

The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people.

Bruce might be right about the need for regulation since that's generally how we control competing interests in public holdings like the environment.

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence →

Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

More than one mistake in that series of events.

Thieves can guess your secret Visa card details in just seconds →

Clever attack method, but really one Visa should be already stopping.

The NSA Leak Is Real, Snowden Documents Confirm →

Motherboard is citing former NSA staffers who are convinced another insider smuggled the weapons out of an air-gapped system, while The Intercept has definitively tied the malware to the NSA. Pretty much a worst-case scenario for the agency.

I certainly may not like how the NSA knowingly chooses to target Americans' data, but I agree without reservation with their mandate for digital intelligence-gathering against foreign actors. I don't want their methods exposed nor their digital nuclear weapons available to those enemies. I respect Snowden's responsible disclosure; this is reprehensible.

How hackers eavesdropped on a US Congressman using only his phone number →

A US congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

Watch the full report on 60 Minutes.

Canadian Police Obtained BlackBerry's Global Decryption Key →

According to technical reports by the Royal Canadian Mounted Police that were filed in court, law enforcement intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages in connection with the probe. The report doesn't disclose exactly where the key — effectively a piece of code that could break the encryption on virtually any BlackBerry message sent from one device to another — came from.

The actual, honest-to-God global master BlackBerry encryption key.

See also Motherboard's reporting on this issue and the revelation that PGP-protected BlackBerrys are also hackable.

Mr. Fart's Favorite Colors →

A funny yet serious look at the encryption debate. I won't spoil it for you.

The NSA Hacked Into the U.S. Military by Digging Through Its Trash →

On June 9, 1997, 25 officials of the National Security Agency — members of a security squad known as the "Red Team" — hacked into the computer networks of the Department of Defense, using only commercially available equipment and soft­ware. It was the first high-level exercise testing whether the U.S. military's leaders, facilities, and global combatant commands were prepared for a cyber attack. And the outcome was alarming.

Apple Prevails in Forced iPhone Unlock Case in New York Court →

In short, whatever else the AWA's "usages and principles" clause may be intended to accomplish, it cannot be a means for the executive branch to achieve a legislative goal that Congress has considered and rejected.

— US Magistrate Judge James Orenstein, New York

A big win for Apple and one that possibly sets up a circuit split between the 2nd and 9th Circuits.

Apple's Motion to Vacate →

At every level of our legal system - from the Constitution, to our statues, common law, rules, and even the Department of Justice's own policies - society has acted to preserve certain rights at the expense of burdening law enforcement's interest in investigating crimes and bringing criminals to justice.

Forceful and compelling, with notable citations of the First and Fifth Amendments and CALEA.

Microsoft, Google, Facebook Back Apple in Blocked Phone Case →

Microsoft Corp. will file an amicus brief next week to support Apple Inc. in its fight with the U.S. government over unlocking a terrorist's iPhone, President and Chief Legal Officer Brad Smith said at a congressional hearing Thursday to discuss the need for new legislation to govern privacy.

About time.

Why you should side with Apple, not the FBI, in the San Bernardino iPhone case →

Either everyone gets security or no one does. Either everyone gets access or no one does. The current case is about a single iPhone 5c, but the precedent it sets will apply to all smartphones, computers, cars and everything the Internet of Things promises. The danger is that the court's demands will pave the way to the FBI forcing Apple and others to reduce the security levels of their smart phones and computers, as well as the security of cars, medical devices, homes, and everything else that will soon be computerized. The FBI may be targeting the iPhone of the San Bernardino shooter, but its actions imperil us all.

Bruce Schneier is one of the leading security and privacy experts in the world and his opinion in this case is no surprise.

Why the FBI's Request to Apple Will Affect Civil Rights for a Generation →

On Tuesday, the United States District Court of California issued an order requiring Apple to assist the FBI in accessing a locked iPhone — and not just any iPhone, but the iPhone 5c used by one of the San Bernardino shooters. The order is very clear: build new firmware to enable the FBI to perform an unlimited, high speed brute force attack and place that firmware on the device.

Dan Guido argues that the request is technically feasible given that Apple can sign firmware updates to the Secure Enclave:

I believe it is technically feasible for Apple to comply with all of the FBI's requests in this case. On the iPhone 5C, the passcode delay and device erasure are implemented in software and Apple can add support for peripheral devices that facilitate PIN code entry. In order to limit the risk of abuse, Apple can lock the customized version of iOS to only work on the specific recovered iPhone and perform all recovery on their own, without sharing the firmware image with the FBI.

Despite the technical feasibility and the emotion of a terrible domestic terrorism case, Apple is fighting this order as the act of coercing a company to defeat their own security measures using a law from 1789 could lead to dangerous precedence for future cases and for encryption at large. Tim Cook's letter shows that Apple well understands the legal precedent this could set and is resolutely opposed:

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

I applaud Apple's stance and support the continued adoption of strong encryption and security measures to protect us from government and criminals alike.

The CIA Secret to Cybersecurity That No One Seems to Get →

The information security community has a model to assess and respond to threats, at least as a starting point. It breaks information security into three essential components: confidentiality, integrity, and availability.

Of these, integrity is the least understood and most nebulous. And what many people don't realize is it's the greatest threat to businesses and governments today.

First known hacker-caused power outage signals troubling escalation →

"It's the major scenario we've all been concerned about for so long."

Meet the woman in charge of the FBI's most controversial high-tech tools →

Privacy advocates also worry that to carry out its hacks, the FBI is using "zero-day" exploits that take advantage of software flaws that have not been disclosed to the software maker. That practice makes consumers who use the software vulnerable, they argue.

Hess acknowledged that the bureau uses zero-days — the first time an official has done so.

Cookies Lack Integrity: Real-World Implications →

Great paper from USENIX on the security asymmetry between writing and reading cookies (even those ones marked secure) and some practical security implications.

Cyberspace Becomes Second Front in Russia's Clash With NATO →

Along with reported computer breaches of a French TV network and the White House, a number of attacks now being attributed to Russian hackers and some not previously disclosed have riveted intelligence officials as relations with Russia have deteriorated. These targets include the Polish stock market, the U.S. House of Representatives, a German steel plant that suffered severe damage and The New York Times.

They melted down an industrial steel furnace and yet people say the Internet of Things is a good idea...

Highway to Hack: The Beginning of the Auto-Hacking Era →

Good roundup of recent automobile computer security vulnerabilities and the impact to future connected car platforms.

NSA phone dragnet is illegal, appeals court rules →

The National Security Agency's bulk telephone metadata collection program exposed by Edward Snowden is not authorized by the Patriot Act, a federal appeals court ruled Thursday.

Hallelujah!

Lawmakers in France Move to Vastly Expand Surveillance →

At a moment when American lawmakers are reconsidering the broad surveillance powers assumed by the government after Sept. 11, the lower house of the French Parliament took a long stride in the opposite direction Tuesday, overwhelmingly approving a bill that could give the authorities their most intrusive domestic spying abilities ever, with almost no judicial oversight.

The money quote from the discussion of how the (lack of) oversight works:

While in theory, the prime minister would act independently, it would probably be difficult for him or her to oppose the intelligence services, because they would most likely be supplying information about possible terrorist or criminal targets.

State Machine Attacks against TLS →

Clever research leading to the inevitable conclusion that Java is horribly broken:

This figure shows that JSSE clients allow the peer to skip all messages related to key exchange and authentication. In particular, a network attacker can send the certificate of any arbitrary website, and skip the rest of the protocol messages. A vulnerable JSSE client is then willing to accept the certificate and start exchanging unencrypted application data. In other words, the JSSE implementation of TLS has been providing virtually no security guarantee (no authentication, no integrity, no confidentiality) for the past several years.

Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet →

Wired:

For nearly a year, the researchers [Kaspersky] have been gradually collecting components that belong to several highly sophisticated digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, based on when some command servers for the malware were registered. They say the suite of surveillance platforms, which they call EquationLaser, EquationDrug and GrayFish, make this the most complex and sophisticated spy system uncovered to date.

See also Ars Technica:

The accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.

The attackers managed to rewrite hard drives' firmware to enable persistence. Reuters quotes sources saying it was in fact the NSA and quotes Kaspersky's argument:

The authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," [lead Kaspersky researcher Costin Raiu] said.

Incredible.

The Secret Life of Passwords →

But precisely what made passwords so flawed is also what Bonneau said he found uplifting. "People take a nonnatural requirement imposed on them, like memorizing a password," he said, "and make it a meaningful human experience."

A wonderful look at the intimacy and rich back stories passwords often have in our lives.

Keeping Secrets →

The history of Hellman's (and Stanford's) fight to publish his cryptographic research against the objections of the NSA.

NSA Core Secrets: Sentry Eagle →

Some more disturbing stuff in the latest set of NSA leaks. Given, the fact that the NSA works with foreign and domestic companies and gained physical access to infrastructure isn't new, but the stuff that is is scary and the list of ECI program descriptions is telling:

In addition to so-called "close access" operations, the NSA's "core secrets" include the fact that the agency works with U.S. and foreign companies to weaken their encryption systems; the fact that the NSA spends "hundreds of millions of dollars" on technology to defeat commercial encryption; and the fact that the agency works with U.S. and foreign companies to penetrate computer networks, possibly without the knowledge of the host countries. Many of the NSA's core secrets concern its relationships to domestic and foreign corporations.

SSL Broken, Again, in POODLE Attack →

Props for something that compromises the security of the Internet almost sounding cute.

Edward Snowden: The Untold Story →

The best biography I've seen on Snowden and his motivations yet.

How Russian Hackers Stole the Nasdaq →

The agents found little evidence of a broader attack. What they did find were systematic security failures riddling some of the most important U.S. financial institutions. It turned out that many on the list were vulnerable to the same attack that struck Nasdaq. They were spared only because the hackers hadn't bothered to try.

Multiple entities had unrestricted access to the Nasdaq's networks for up to three months. Four years later, we don't have a clear picture on what they did or why, and we have more proof that the places we assume are secure are in fact not very.

Ars Spies on an NPR Reporter →

An amazingly revealing experiment about the online services we use everyday.

It's Insanely Easy to Hack Hospital Equipment →

We tested every single device in our environment–various radiology stuff and MRIs, ultrasound and mammography systems, cardiology, oncology. We tested all of our lab systems, surgery robots, fetal monitoring, ventilators, anesthesia.

Basically all of them are broken.

Hacks on Widely Used Traffic Control Gear Could Cause Gridlock and Chaos →

The proprietary radio protocol communicates with no encryption, making it possible for people to monitor or tamper with the signal contents, which are used to determine whether a traffic light should stay green or turn red, display a particular message, or alert authorities to a potential emergency.

Of course it's not encrypted. Why should we protect the reliability of traffic lights?

Critical Crypto Bug in OpenSSL →

Another day, another broken implementation of web security in a popularly-used product. CVE-2014-0160 is melting the Internet, and we're going to be dealing with the fallout for quite some time. A lot of engineers are not going home tonight...

How to Protect Your iCloud Keychain from the NSA →

There's more technical detail in here than even I can follow, but it sounds like on the whole Apple put some seriously impressive technical effort into securing iCloud, Keychain, and other personal data backed up from iOS. Props to them.

Meet the seven people who hold the keys to worldwide internet security →

The Guardian attends a master key ceremony for the Internet's root DNS servers and details the technological and social constructs behind it.

Apple's SSL/TLS bug →

It's a one-line bug that should have been caught in code review, but unfortunately wasn't. The result is a failure to properly validate the server being connected to possesses the private key matching its certificate.

The NSA Uses Powerful Toolbox in Effort to Spy on Global Networks →

I've heard of the NSA's TAO unit before, but some of the stuff described in this article sounds fantastical - using Windows Error Reporting to identify programs and vulnerabilities in conjunction with XKeyscore and physically intercepting online electronics purchases. I'm impressed and terrified at the same time.

How an epic blunder by Adobe could strengthen hand of password crackers →

They used symmetric encryption. <sigh/>

A (relatively easy to understand) primer on elliptic curve cryptography →

Some math required, but a good introduction to the cryptographic problems that underly the future of technical security.

Geeks on the Frontlines →

Rolling Stone covers hackers and America's private cybersecurity apparatus.

Spying on the Seven Seas →

More from the annals of "Scary Security Stuff Found by the Internet":

On the Internet you can find websites that provide vessel tracking data based either on asking people to volunteer the information from their AIS receivers or deploying some themselves. However, we observed AIS receivers that are blatantly open on the Internet, many belonging to private organizations and institutions.

Considering that a lot of military, law enforcement, cargo, and passenger ships broadcast their positions, we feel that this is a security risk.

People doing stupid things on the open Internet could be a security risk? You don't say.

At Facebook, Zero-Day Exploits, Backdoor Code Bring War Games Drill to Life →

This is only a test. But it's not a test:

The engineer's computer was compromised using a real zero-day exploit targeting an undisclosed piece of software. It allowed a "red team" composed of current and former Facebook employees to access the company's code production environment. The PHP code on the Facebook site contained a real backdoor.

They went to some crazy lengths to test their security teams and security response and did so publicly. Props to them.

Pentagon Looks to Fix 'Pervasive Vulnerability' in Drones →

It'd be great if someone could simply write some sort of universal software checker that sniffs out any program's potential flaws. One small problem: Such a checker can't exist. [...] But while a universal checker is impossible, verifying that a particular program will always work as promised is merely an exceedingly-freakin'-difficult task.

And those can always be solved by throwing money at the problem.

Carnegie Mellon Voice Verification Technology Prevents Impersonators From Obtaining Voiceprints →

The system would enable people to register or check in on a voice authentication system, without their actual voice ever leaving their smartphone. This reduces the risk that a fraudster will obtain the person's voice biometric data, which could subsequently be used to access bank, health care or other personal accounts.

Preventing the transmission of voice data from client to server doesn't seem to be the major problem with voiceprint authentication to me, since in every spy movie they just record the person while they're talking...

Additional Nation-Sponsored Malware with Stuxnet Ties Discovered →

"Gauss," as Kaspersky Lab researchers have dubbed the malware, was devised by the same "factory" or "factories" responsible for the Stuxnet worm used to disrupt Iran's nuclear program, as well as the Flame and Duqu Trojans.

With the ability to monitor and steal data from several banks, the suggestion is that this malware monitors financial transactions related to terrorism. In addition to doing who knows what with a chunk of the payload that will likely never be decrypted, it installs a random custom font.

Black Hat Hacker Gains Access to 4 Million Hotel Rooms with Arduino Microcontroller →

By plugging an Arduino microcontroller into the [lock], Brocious found that he could simply read this 32-bit key out of the lock's memory. No authentication is required — and the key is stored in the same memory location on every Onity lock.

If that wasn't bad enough, the lock unlocks when you play the key back to it. I feel safe.

MS12-034: Duqu, Ten CVE's, and Removing Keyboard Layout File Attack Surface →

The Office document attack vector leveraged by the Duqu malware was addressed by MS11-087 – Duqu is no longer able to exploit that vulnerability after applying the security update. However, we wanted to be sure to address the vulnerable code wherever it appeared across the Microsoft code base. To that end, we have been working with Microsoft Research to develop a "Cloned Code Detection" system that we can run for every MSRC case to find any instance of the vulnerable code in any shipping product. This system is the one that found several of the copies of CVE-2011-3402 that we are now addressing with MS12-034.

Awesome. Hotmail uses a related system developed by MSRC for XSS attacks.

Pwning a Spammer's Keylogger →

This would be such a fun job...

Privacy is not an Option →

And as with the opt-in security settings of the past, today's opt-in privacy settings are leading to all sorts of problems. Every day we see headlines about privacy violations that could've been avoided if we used software that didn't treat privacy as an option.

Fitting analogy for the state of technology today. What will it take for companies to make privacy a default, not an option?

99% of NASA's portable devices are unencrypted →

Virtually none of the agency's portable devices are encrypted, and 48 of them were lost or stolen between April 2009 and April 2011. One of those was an unencrypted notebook containing algorithms to command and control the International Space Station.

That sounds like fun.

TSA: Fail →

TSA has spent approximately $60 billion since 2002 and now has over 65,000 employees, more than the Department of State, more than the Department of Energy, more than the Department of Labor, more than the Department of Education, and more than the Department of Housing and Urban Development - combined. TSA has become, according to [a government] report, "an enormous, inflexible and distracted bureaucracy more concerned with……consolidating power."

Lots of good/harsh points from a former FBI Special Agent with the Los Angeles Joint Terrorism Task Force (and pilot).

Electronic Security a Worry in an Age of Digital Espionage →

What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia — like Google, the State Department and the Internet security giant McAfee. Digital espionage in these countries, security experts say, is a real and growing threat — whether in pursuit of confidential government information or corporate trade secrets.

"If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated," said Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence.

I didn't even begin to think hacking into visitor's mobile devices for access to corporate or government information was that prevalent.

Breaking CAPTCHAs with Automated Humans →

What if we could automate the humans; I mean what if we could take CAPTCHAs and solve them at such a rate that these registration processes could be easily automated? Well it turns out you can and it will only cost you a couple of bucks.

A detailed look at the automated world of CAPTCHA-breaking, just a world automated at a different place than you expected. And it works well, too. One broken every 0.98 seconds with a 94% success rate.

iSpy Detects Text Typed on Smartphones →

The method exploits a feature meant to aid typing on small touchscreens: magnified keys. iSpy can identify text typed on a touchscreen from video footage of the screen or even its reflection in windows or sunglasses. Video from an ordinary mobile phone camera can be used to spy on a person from 3 metres away. And a snoop with a digital SLR camera that shoots HD video could read a screen up to 60 metres away.

"We were surprised at how well [this idea] worked."

Bonus points for the fact that one of the researchers is a former Hopkins professor and for a quote from a current Hopkins professor.

Vulnerabilities Give Hackers Ability to Open Prison Cells From Afar →

Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems.

Oh, Internet...

Researchers Can Keylog Your PC Using Your iPhone's Accelerometer →

Researchers at Georgia Tech and MIT have developed a proof of concept to demonstrate that it is possible to record a computer user's keystrokes using an iPhone 4's accelerometer. The researchers developed a method to accurately translate the vibrations from typing on a keyboard picked up by the device's accelerometer when placed on a desk near a PC.

Probably cooler than using the accelerometer as a keylogger on a touchscreen phone as I posted last month.

Facebook Re-Enables Controversial Tracking Cookie →

Kinda sorta. From a Facebook engineer in the comments:

We have been made aware of 2 instances in the past 2 weeks related to cookies which needed to be addressed. What you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites, including CBSSports.

It's starting to sound like either Facebook doesn't know where their cookies go and how they'e used, or their whole cookie management system is riddled with bugs. Both ignorance and incompetence are confidence-inspiring.

Facebook Fixes and Explains Logout Issue →

Facebook has fixed a "bug" where a cookie containing your account ID persisted after logout. But the remaining cookies...

...by the very purpose they serve, uniquely identify the browser being used - even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described.

Facebook Defends Getting Data From Logged-Out Users →

Facebook responds to the tracking allegations with comments to the Wall Street Journal:

Facebook on Monday defended its practice of gathering data from "Like" buttons even after users have logged out, saying that the collection is part of a system to prevent improper logins and that the information is quickly deleted.

Sounds like no one's denying this is actually true.

Arturo Bejar, a Facebook director of engineering, said that the data is required to prevent spam and phishing attacks and to help keep users from having to go through extra authentication steps every time they log in.

"The onus is on us is to take all the data and scrub it," said Bejar. "What really matters is what we say as a company and back it up."

That's funny, Facebook. I really don't trust what you say.

Logging Out of Facebook Is Not Enough →

The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see.

The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application. A number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

Subsequent requests to Facebook as a signed-out user still send nine different cookies, including your account number, to Facebook or to any page that interfaces with Facebook.

Proposed W3C Web Standards Pose 51 Security Threats →

As do all web technologies, if used the wrong way and without mind for security.

Serious Security Holes Found in Siemens Control Systems →

A security researcher has uncovered a slew of vulnerabilities in Siemens industrial control systems, including a hardcoded password, that would let attackers reprogram the systems with malicious commands to sabotage critical infrastructures and even lock out legitimate administrators.

Mac OS X Lion Login Passwords Extracted With Ease →

The Mac OS vulnerability relates to user login passwords that are stored in the system memory even if the computer is locked or put into a sleep mode. Passware's software captures live Mac computer memory over FireWire and analyzes it, extracting these passwords, a process that the company says takes just a few minutes--regardless of password strength and use of a FileVault encryption. The vulnerability is present in all modern versions of Mac OS, including Mac OS X 10.6 Snow Leopard and the latest Mac OS X 10.7 Lion, released last week.

The Usability of Passwords →

Nice analysis of what makes a practically secure password.

Naked Air →

I seem to keep pointing this to people on occasion and realized I didn't have a copy of it anywhere. This was given honorable mention for the 2002 Pulitzer prize in commentary.

Full Disclosure of Security Vulnerabilities →

Thoughts from a security researcher on the value of full disclosure, and the balance between secrecy and security.

Cyberattack on Google Said to Hit Password System →

Gaia is a great name for a software system. On a more related note, this scares me. A lot. This is why the NSA was brought in.